Ideally you're storing your usernames and passwords in a secured password management tool like LastPass, but occasionally you need to share a password or some other sensitive piece of information with a friend or coworker. The problem: When you do it over IM or email, that sensitive data just got really insecure and easy to find. So how do you keep sensitive data out of your chat logs and email while still sharing it when you need to?

Option 1: Good Ol' LastPass

If you're already using LastPass, the free service allows you to create and share secured notes and logins with other LastPass users, keeping all of it encrypted all the time. (For what it's worth, I'm a happy LastPass Premium subscriber; it's $1 per month and you get access to their mobile apps.) LastPass' sharing feature lets you "securely share logins with friends and let them share logins with you and never worry about sending sensitive login credential by email ever again." That's exactly our goal here. To share anything via LastPass, just open up your LastPass Vault (if you're using the LastPass extension, just click the LastPass button and click My LastPass Vault. From there, find the login you want to share, click the Share link, and enter the email address of the person you want to share with. (You can actually share with up to 50 people.)

Advertisement

Option Two: Spread It Out Across Different Communication Methods

A password on its own, without any context whatsoever, isn't all that dangerous. Sometimes simply breaking up your sensitive data sharing across different methods of communication can make enough of a difference. I've had a friend share a password with me by sending it as an SMS without any other context, for example. I knew what it meant and where to use it, but in theory no one else would.

It's sort of like a lightweight two-factor authentication. Maybe you'd send a username over IM, a URL over email, and a password over SMS. A snoop would need access to all three buckets in order to put it all together. (That's not to say that it's completely secure, but it's a helluva lot more secure than keeping it all in your IM logs. Keep in mind that if you're using a desktop IM client with Google Talk/Gchat, for example, those chats are likely being logged on your hard drive and on Google's servers.)

Option Three: Self-Destructing Messages

Single-purpose webapp One Time Secret has one goal: to provide you with a place to share sensitive information without leaving a trace in your chat logs or email account.

You can find plenty of "self-destructing" message services online, which essentially is what One Time Secret is, but we like the idea that it's not focused around a self-destructing message—anyone can subvert the destruction by taking a screenshot. But assuming you and the person you're sharing the secret with are both on the same page regarding why you're using the service, the basic idea seems pretty solid. I'm always a little uncomfortable sending a username and password over IM or email specifically because they're not terribly difficult to access if someone steals your computer, and often they'll be the first places someone would look. Basically the service has you extract the sensitive piece of your conversation to a place that instantly expires. If you're sharing a user/pass, you wouldn't want to include the site where they're useful, for example—just the sensitive pieces that aren't useful at all without context. Or maybe you'd go a step further and separate the user and pass into two different expiring secrets. You can also password protect your secret so the person you're sharing it with needs both the secret URL and the passphrase.

There are, of course, some sticking points. The site doesn't have a privacy policy at the moment, but they claim the service is set up so that they literally can't serve any secret more than once. As I mentioned above, my suggestion would still be that you share secrets without context. For example, a password without a username or URL isn't terribly useful to a hacker.

How Do You Share Sensitive Data Without Leaving Too Obvious of a Trail?

I've run down a few of your options, but there are a lot of other ways to share a secret that I didn't mention. Do you do it over the phone? Only in person? Let's hear how you share sensitive information more securely than over IM in the comments.